Re: [stir] Roman Danyliw's Discuss on draft-ietf-stir-passport-rcd-23: (with DISCUSS and COMMENT)
pierce@numeracle.com Mon, 06 March 2023 17:27 UTC
Return-Path: <pierce@numeracle.com>
X-Original-To: stir@ietfa.amsl.com
Delivered-To: stir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A676C14F5E0 for <stir@ietfa.amsl.com>; Mon, 6 Mar 2023 09:27:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=numeracle.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id avMJxenvaygb for <stir@ietfa.amsl.com>; Mon, 6 Mar 2023 09:27:31 -0800 (PST)
Received: from mail-il1-x134.google.com (mail-il1-x134.google.com [IPv6:2607:f8b0:4864:20::134]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3C28C14CE4E for <stir@ietf.org>; Mon, 6 Mar 2023 09:27:31 -0800 (PST)
Received: by mail-il1-x134.google.com with SMTP id x10so6717123ill.12 for <stir@ietf.org>; Mon, 06 Mar 2023 09:27:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=numeracle.com; s=google; t=1678123651; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kfieIPUF0MlXsjzh36+tNEa7OW+H1hA7EmpkW/xrI0E=; b=RE3MpIsm2vLt2m34VDf4M/lOg/++FJWM+3GRdHpRBjXd5x4BjNFTZYPDjZbSnJWobp 2SLwy/a1rDqQzhIBFUT6NyGJzZ647z9AlP12lP+rBUTHMwRdFizE9zXzM8Q4M3vMmUC9 EUVz799m0x2naoYv6K4ZagZ2WzR6xaCEE0Ebbb+u+cMwkAfujxqKQWFLzjyHrPCs6VlG KlXJngiZkFG9u+745dOIc/x/PggrekfEWz3B5OQZ8nHQAyoTUhgd3bnN/X69NmFTIk8j UfDgN5KMl9X/IiYJMzP9foTypM+9O5xfs1C7/Egcc5ERQJ5Zt4sKs1wMy58tHkZJqu3p hBlA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678123651; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kfieIPUF0MlXsjzh36+tNEa7OW+H1hA7EmpkW/xrI0E=; b=35zwsnCZdFeCtsVWna3GcUDOIDnK7cAlveb1NpejJUg6eWbpMh9hw4YP2tUMrj4ofH hPp4FbIf40P1Sq7jLLFtVkTRdvF7xsHTXISciug2/uhwb2kUzniOTIlNrkjQ1EWYC7Rs VrHhxA9kj9qfo2Xv6mYUVIJPxIu4ktfVG54FG/0cM3BKasVHjm8WjPxxwUUsn7YnhM6a XnD0PZSKQ1sg8xbZreXXogSQISGMcPvqiOAIcB2Z2yjM4DshnOvsYa/JV1s+BZ/Iacbg 9yANSn15BfpAEaoP32QX1zp1xJSVRDKT4oEyfEZP65e4nsIirTovUR/HcQmHQPAj9mZD mmNg==
X-Gm-Message-State: AO0yUKUbykcuIig+ebUPxhLMWaqx1OV1eJ+8dOHa84sXZoUeDXAqpC8C 098gzVUcUYsRcC3J58xnS/qIWg==
X-Google-Smtp-Source: AK7set9op9aZev5EWzfKaNXQKCCHuYUl77YNoBy7TgkyCyafHU8E6v39RrClFcu1I84kuIvBHpcTgw==
X-Received: by 2002:a05:6e02:1522:b0:318:ab40:4e9b with SMTP id i2-20020a056e02152200b00318ab404e9bmr9874025ilu.2.1678123650832; Mon, 06 Mar 2023 09:27:30 -0800 (PST)
Received: from NumeracleLegion ([2605:a601:ae1c:4300:905e:d5eb:9533:90ec]) by smtp.gmail.com with ESMTPSA id y8-20020a02bb08000000b003c4e65fd6dfsm3382148jan.176.2023.03.06.09.27.29 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 06 Mar 2023 09:27:30 -0800 (PST)
From: pierce@numeracle.com
To: 'Chris Wendt' <chris-ietf@chriswendt.net>, 'Ben Campbell' <ben@nostrum.com>
Cc: 'Roman Danyliw' <rdd@cert.org>, 'The IESG' <iesg@ietf.org>, draft-ietf-stir-passport-rcd@ietf.org, 'STIR Chairs' <stir-chairs@ietf.org>, 'IETF STIR Mail List' <stir@ietf.org>, 'Russ Housley' <housley@vigilsec.com>
References: <166977514888.24379.6431023985333578193@ietfa.amsl.com> <B1A2B8C8-C478-4D67-86D1-5326E0206316@chriswendt.net> <9C71358E-DB39-40FC-BA18-734175B6BEA3@nostrum.com> <A78C373B-82DF-4504-ACC3-240F35291671@chriswendt.net>
In-Reply-To: <A78C373B-82DF-4504-ACC3-240F35291671@chriswendt.net>
Date: Mon, 06 Mar 2023 11:27:29 -0600
Message-ID: <089901d95050$eddd0130$c9970390$@numeracle.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_089A_01D9501E.A34417D0"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQGyFJLpIpPaVKge+S3Uad41o6Z0YAI1rGG0AZbiC18B2XFKDq8PRZEg
Content-Language: en-us
Archived-At: <https://mailarchive.ietf.org/arch/msg/stir/s7HbLV3TGs3JEq0RGw_EhnamsFQ>
Subject: Re: [stir] Roman Danyliw's Discuss on draft-ietf-stir-passport-rcd-23: (with DISCUSS and COMMENT)
X-BeenThere: stir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Telephone Identity Revisited <stir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/stir>, <mailto:stir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/stir/>
List-Post: <mailto:stir@ietf.org>
List-Help: <mailto:stir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/stir>, <mailto:stir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2023 17:27:36 -0000
I don’t know how much CID is in use, so I think you have to require HTTPS at least. I don’t have an opinion on whether you should specify “MUST be HTTPS or CID”. I remember that Alec Fenichel added some requirements to the ATIS-1000074 spec with regard to caching, port numbers for HTTPS and defense against SSRF. I don’t know if those would have been good to have also included the IETF RFC 8224 spec, but just want to mention that if there are similar performance and/or security considerations for CID, and you decide to include CID in this spec, you might want to see if there are any similar recommendations for CID as were available for HTTPS. Pierce From: stir <stir-bounces@ietf.org> On Behalf Of Chris Wendt Sent: Sunday, March 5, 2023 9:03 AM To: Ben Campbell <ben@nostrum.com> Cc: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>; draft-ietf-stir-passport-rcd@ietf.org; STIR Chairs <stir-chairs@ietf.org>; IETF STIR Mail List <stir@ietf.org>; Russ Housley <housley@vigilsec.com> Subject: Re: [stir] Roman Danyliw's Discuss on draft-ietf-stir-passport-rcd-23: (with DISCUSS and COMMENT) Hi Ben, Yes, thanks for catching that, perhaps HTTPS or CID is best path. Curious for other opinions. -Chris On Mar 2, 2023, at 5:01 PM, Ben Campbell <ben@nostrum.com <mailto:ben@nostrum.com> > wrote: (No hats) I have a context related comment on one item: Thanks! Ben. On Mar 1, 2023, at 12:02 PM, Chris Wendt <chris-ietf@chriswendt.net <mailto:chris-ietf@chriswendt.net> > wrote: […] ** 5.*. Inconsistent requirements for URIs -- icn: appears to be any URI per Section 5.1.3. This would make gopher://, ftp://, https:// all equally valid. These have different security characteristics. -- jcd: per Section 5.1.4 “is intended to directly match the Call-Info header field value defined in [I-D.ietf-sipcore-callinfo-rcd].” Section 4 of that document says it “MUST define the use HTTPS or a transport that can validate the integrity of the source of the resource as well as the transport channel through which the resource is retrieved”. -- jcl: is an HTTPS URL (per Section 5.1.5) Why are these different? Support different levels of transport security? You are correct, i fixed “icn” to specifically be an HTTPS URL vs generic URI. jcd is not a URI, it’s a directly included JSON jcard object in the “rcd" claim. IIRC, a previous version did specify HTTPS URLs for “icn”, but we discussed the possibility that an icon could be imbedded in a body part of the SIP request and be referenced with a “cid” URL. I suppose that if that is true for “icn”, it is probably also true for “jcl”. That being said, I am not aware of anyone actually doing that (yet) will not object if we think it is better to limit it to HTTPS. (Or as a compromise, say it MUST be either HTTPS or CID?) […]
- [stir] Roman Danyliw's Discuss on draft-ietf-stir… Roman Danyliw via Datatracker
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Chris Wendt
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Ben Campbell
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Chris Wendt
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… pierce
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Alec Fenichel
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Ben Campbell
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… Ben Campbell
- Re: [stir] Roman Danyliw's Discuss on draft-ietf-… DOLLY, MARTIN C